Service Control Policies

  • Policy documents (JSON) used to set permission boundaries for AWS accounts within an organization.

  • Do NOT grant permissions, only restrict what actions can be performed.

  • Even apply to the root user of an account.

πŸ“Œ Where Can SCPs Be Attached?

  1. Root of the organization β†’ affects all accounts in the org.

  2. Organizational Unit (OU) β†’ affects:

    • Accounts in the OU.

    • All nested OUs and accounts beneath it.

  3. Individual AWS Accounts β†’ affects only those accounts.

πŸ” How SCPs Inherit

  • SCPs inherit down the organization tree.

  • Attach at root β†’ impacts entire organization.

  • Attach to OU β†’ impacts that OU and all children (accounts + nested OUs).

  • Attach to account β†’ impacts just that one account.

🚫 Management Account Exception

  • SCPs do NOT apply to the management account, even if attached.

  • The management account is exempt from all SCP restrictions.

🧱 Key Characteristics

  • Define maximum permissions an account can have.

  • Must work with IAM policies (IAM grants, SCP limits).

  • Think of SCPs as a fenceβ€”they set the outer boundary for what’s allowed.

Last updated